12 May 2017

'Privacy in Automation: An Appraisal of the Emerging Australian Approach' by Angela Daly in Computer Law & Security Review
offers

an initial appraisal of the emerging Australian approach to applying privacy and data protection laws to automated technologies. These laws and the general context in which they operate will be explained, with appropriate comparisons made to the European Union frameworks. In order to examine their specific application vis-à-vis automated technologies, three case studies - Automated facial recognition technologies (AFRT), unmanned aerial vehicles (UAVs – better known as ‘drones’) and autonomous vehicles (or ‘driverless cars’) – are selected to examine the extent to which existing privacy and data protection laws, and their application, can be considered adequate to address privacy and data protection risks that these technologies bring. These case studies evidence existing deficiencies with privacy protection in Australia and the inadequacy of recent reform processes, demonstrating that Australian data privacy laws are not well placed to protect individuals’ rights vis-a-vis automated technologies.

09 May 2017

Commercial use of FOIA has, by all accounts, always been significant. As I documented in previous work, FOIA, Inc., businesses use FOIA for a variety of purposes and, at some agencies, can form the vast majority of requesters. One thing is constant across business use of FOIA, however, and that is the routine nature of commercial FOIA requests. Over and over again, commercial requesters seek the same kinds of documents, whether it be bid abstracts for defense contracts or licensing agreements filed by public corporations. I therefore proposed an aggressive affirmative disclosure regime in which agencies would identify the types of records routinely requested and publish comprehensive databases of those documents, thereby preempting the flood of commercial requesting.

For large regulatory agencies to whom single businesses submit hundreds and sometimes thousands of requests a year, however, my previous findings came as no surprise. FOIA officers at these agencies see their offices swamped with routine commercial requests and have adapted to become experts in responding to them. This essay explores the practicality of the affirmative disclosure methods I previously proposed from their perspective. In particular, using EPA, SEC, and FDA as case studies, it sheds light on actual agency experience implementing and considering these sorts of measures, including notable success stories. Beyond demonstrating that affirmative disclosure can be practical in some circumstances, however, it sheds light on obstacles agencies face as well. To that end, it seeks out outline circumstances in which affirmative disclosure is most immediately promising, as well as structural reforms that can reduce the barriers to success in a wider range of circumstances.

'The Right to Be Forgotten' by Michael J. Kelly and David Satola in (2017) 1 University of Illinois Law Reviewcomments

The right to be forgotten refers to the ability of individuals to erase, limit, delink, delete or correct personal information on the Internet that is misleading, embarrassing, irrelevant or anachronistic. This legal right was cast into the spotlight by the European Court of Justice decision in the Google Spain case, confirming it as a matter of EU law. This “right,” however, has existed in many forms around the world, usually applying a balance-of-rights analysis between the right to privacy and the right to freedom of expression. The new European version, though, is based on a legal theory of intermediary liability where Internet search engines are now considered “data controllers,” and as such have liability for managing some content online. As it has evolved in Europe, this right has focused attention on key underlying policy considerations, as well as practical difficulties, in implementation under the new European regime. In particular, shifting the burden of creating compliance regimes and supervising important human rights from government to the private sector. Thus, in Europe, the function of balancing rights (privacy versus speech) in the digital context has been “outsourced” to the private sector. Recent experience in Europe under this regime shows that there is no uniform approach across countries. Moreover, different national approaches to the “right” make it almost impossible for multinational entities to comply across jurisdictions. Apart from the data controller threshold, civil-law jurisdictions seem to give greater weight to privacy concerns in striking this balance. Common-law jurisdictions tend to give greater weight to expression. The right to be forgotten is another example of an evolving transatlantic data struggle with potentially serious trade implications. This Article explores the historical and theoretical foundations of the right to be forgotten and assesses practical legal issues including whether North American “free speech” rights are an effective buffer to what is sometimes a very controversial and evolving issue.

'Doxfare – Politically Motivated Leaks and the Future of the Norm on Non-Intervention in the Era of Weaponized Information' by Ido Kilovaty in (2017) 9 Harvard National Security Journalcomments

Alleged Russian intervention during the 2016 U.S. presidential election presented international law with a challenge of characterizing the phenomenon of politically motivated leaks by foreign actors, carried out in cyberspace. Typically, international law’s norm of non-intervention applies only to acts coercive in nature, leaving disruptive acts outside of the scope of prohibited intervention. That raised a host of questions on the relevancy and inflexibility of traditional international law in relation to new threats and challenges in cyberspace. The discourse on transnational cyberspace operations highlights it becomes increasingly difficult to deal with nuanced activities that cause unprecedented harms, such as the Democratic National Committee Hack. This article argues foreign actors meddling with a legitimate political process in another State through cyberspace are violating the norm of non-intervention. Although the coercion requirement is absent, international law should consider non-coercive interfering acts that constitute sabotage and result in disruptive effects to domestic processes. As this paper contends cyberspace operations are distinctly different in their effects, so that a traditional standard of coercion for the norm on non-intervention is simply unattainable and requires the introduction of a new standard based on disruption. Finally, this article explores a few challenges and tensions ahead for harmful transnational cyberspace activities and offers a few directions to resolve these difficulties.

08 May 2017

The Productivity Commission's Productivity Commission Data Availability and Usereport released today features the following 'key points' -

Extraordinary growth in data generation and usability has enabled a kaleidoscope of new business models, products and insights. Data frameworks and protections developed prior to sweeping digitisation need reform. This is a global phenomenon and Australia, to its detriment, is not yet participating.

The substantive argument for making data more available is that opportunities to use it are largely unknown until the data sources themselves are better known, and until data users have been able to undertake discovery of data.

Lack of trust by both data custodians and users in existing data access processes and protections and numerous hurdles to sharing and releasing data are choking the use and value of Australia’s data. In fact, improving trust community-wide is a key objective.

Marginal changes to existing structures and legislation will not suffice. Recommended reforms are aimed at moving from a system based on risk aversion and avoidance, to one based on transparency and confidence in data processes, treating data as an asset and not a threat. Significant change is needed for Australia’s open government agenda and the rights of consumers to data to catch up with achievements in competing economies.

At the centre of recommended reforms is a new Data Sharing and Release Act, and a National Data Custodian to guide and monitor new access and use arrangements, including proactively managing risks and broader ethical considerations around data use.

A new Comprehensive Right for consumers would give individuals and small/medium businesses opportunities for active use of their own data and represent fundamental reform to Australia’s competition policy in a digital world. This right would create for consumers:

powers comparable to those in the Privacy Act to view, request edits or corrections, and be advised of the trade to third parties of consumer information held on them

a new right to have a machine-readable copy of their consumer data provided either to them or directly to a nominated third party, such as a new service provider.

A key facet of the recommended reforms is the creation of a data sharing and release structure that indicates to all data custodians a strong and clear cultural shift towards better data use that can be dialled up for the sharing or release of higher-risk datasets.

For datasets designated as national interest, all restrictions to access and use contained in a variety of national and state legislation, and other program-specific policies, would be replaced by new arrangements under the Data Sharing and Release Act. National Interest Datasets would be resourced by the Commonwealth as national assets.

A suite of Accredited Release Authorities would be sectoral hubs of expertise and enable the ongoing maintenance of, and streamlined access to, National Interest Datasets as well as to other datasets to be linked and shared or released.
− A streamlining of ethics committee approval processes would provide more timely access to identifiable data for research and policy development purposes.

Incremental costs of more open data access and use

including those associated with better risk management and alterations to business data systems

will exist but should be substantially outweighed by the opportunities presented.

Governments that ignore potential gains through consumer data rights will make the task of garnering social licence needed for other data reforms more difficult. Decoupling elements of this Framework runs the risk of limiting benefits to, and support from, the wider public.

Copyright & Liability

Statements in this blog are my own, rather than that of the University of Canberra.

The text and images are protected under Australian and international copyright and trade mark law. The blog does not represent legal advice. It is for informational purposes only; publication does not create an attorney-client relationship and nothing on this blog constitutes a solicitation for business.

The author pleads guilty to charges of irreverence, irony, indignation and honestly-held opinion.